Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
If Apple really champions security and anonymity on the web, then these are things that users need to know in advance. No one wants to hear about it from a third-party. Apple has earned my trust and I get closing these flaws quietly but, in the interim, such aggressiveness can be communicated to users with a warning (maybe a color-coded scale per app) and a timeline of when a fix should be expected.
If they tell everyone 'there is an exploit'... then the bad people will know there is an exploit and go looking for it. Better they keep it quiet until its been fixed like they did here.
 
I could feel my mac mini becoming ever so slightly less snappier with each iterations of these small 4GB incremental updates.

Yesterday I downgraded after much debate. Now that I'm in 11.2.1 from 11.3.1, I can definitely say that the snappiness thing wasn't just in my imagination. I would have gone further into the past versions such as 11.1 or 11.0 if not for the bluetooth issues.

It's good they found and fixed some security bug in 11.4. But I can bet my bottom dollar that in the next version of macOS they are going to fix even more bug that exists and are being exploited now, that we don't know of.
 
That is one nasty zero day exploit. Glad that Apple patched it and even more glad Jamf alerted Apple.
I'm a bit surprised that you can (or previously could)

  • place another binary inside an app bundle (this, so far, is fairly common)
  • have that binary either be not signed at all, or signed with a different certificate (now things get hairy)
  • still have that binary inherit TCC settings! (uhh)

What Apple writes about this:

Impact: A malicious application may be able to bypass Privacy preferences. Apple is aware of a report that this issue may have been actively exploited.

Description: A permissions issue was addressed with improved validation.

That's kinda vague. Are there other loopholes of the same kind, or does Apple now validate that TCC settings only get inherited if the code signing certificate matches?
 
If they tell everyone 'there is an exploit'... then the bad people will know there is an exploit and go looking for it. Better they keep it quiet until its been fixed like they did here.
Yup.

This is standard practice. You give vendors a window of, say, 90 days to fix the issue so that disclosing it doesn't lead to a mayhem of exploits.
 
I could feel my mac mini becoming ever so slightly less snappier with each iterations of these small 4GB incremental updates.

The updates don't really add much heft. They're that large because they replace some huge binary blobs each time (which I think is a problematic technical decision) — but the net usage of your disk should be virtually the same.
 
  • Like
Reactions: dumiku
The updates don't really add much heft. They're that large because they replace some huge binary blobs each time (which I think is a problematic technical decision) — but the net usage of your disk should be virtually the same.
Well I guess it makes sense since they are adding more and more new features to an OS which will only eventually make the old hardware slower. But I can figure out the difference in response time of apps between various updates (in fresh installs).
 
This is why you should never press on Show Password (the eye icon) when entering password into the password field. And enable 2FA.
 
  • Like
Reactions: dumiku
heheh if Apple wins against EPIC, they will soon lockin macOS just like iOS, and I will LMAO.
Federighi already made an allusion about macOS security and lockin, better rethinking your dev pipelines.
Say goodbye to brew & co..
 
Sigh...that's very true.

Though TBH Apple don't really help that. How often do you get a pop up saying "Random process" wants "random permission" with no explanation of what the permission or process is, no way to verify checksums of the binary etc. After a bit of Googling you find the process is a part of OSX and lots of people have had the pop up.

It shouldn't be this way. If the thing is part of OSX you should be asked at install time, or at some time of your choosing, rather than having a dialog pop up over whatever work you were doing and constantly reappearing if you don't say yes.

Apps should be forced to give some explanation of why they want permissions. Especially why, if its part of OSX, it doesn't just comepwith permission.

Apple should have a detailed description of what each permission is about and it should be linked from the dialog.

There should be some simple means to veriy the thing that caused the pop up to appear is a signed binary and which one.
 
Though TBH Apple don't really help that. How often do you get a pop up saying "Random process" wants "random permission" with no explanation of what the permission or process is, no way to verify checksums of the binary etc.

Hmm, I don't think that popup can appear at all without a code signature, so verifying the checksum isn't a concern. You can opt out of Gatekeeper's code signature check manually (using the contextual menu, etc.), but I believe if you do, TCC flat-out refuses to do grant anything.

But yes, communicating to the user what this process is and how to know whether to trust it is a huge concern.

Apps should be forced to give some explanation of why they want permissions.

For many types of permissions, they do. But yes, this should be unified. It's also grating that, if they need multiple permissions, they need to show multiple dialogs.


There should be some simple means to veriy the thing that caused the pop up to appear is a signed binary and which one.
You can check the list of binaries in Security.
 
I am glad that this was reported and solved! Just a thought tho: will antivirus apps detect the malware that attacks this vulnerability?
 
Apps should be forced to give some explanation of why they want permissions. Especially why, if its part of OSX, it doesn't just comepwith permission.
And you expect users to read that? A lot of them click on "OK" or "Accept" before the pop-up animation finished.
 
I could feel my mac mini becoming ever so slightly less snappier with each iterations of these small 4GB incremental updates.
Incremental update does not mean that all of those 4GB are in addition to what you already have. There is a lot of stuff being replaced by the update. In this case most likely a good deal of the kernel and system library files.
 
  • Like
Reactions: mdriftmeyer
Taking screen shots and using the camera are two different things, you know?

Reading comprehension is key. If the zero-day vulnerability is piggybacking off of permissions without requiring the user’s explicit consent from apps such as Zoom which does screen sharing and webcam video conferencing so it's not just screen sharing that is vulnerable.

Once installed on a victim's system, the malware was used specifically for taking screenshots of the user's desktop with no additional permissions required. Jamf said that it could be used to bypass other permissions as well, as long as the donor application the malware piggybacked off of had that permission enabled.

In the latest macOS release (11.4), Apple patched a zero-day exploit (CVE-2021-30713) which bypassed the Transparency Consent and Control (TCC) framework. This is the system that controls what resources applications have access to, such as granting video collaboration software access to the webcam and microphone, in order to participate in virtual meetings. The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent
 
According to the post by JAMF it only affects MacOS 11. The security updates for Mojave and Catalina that also came out today do not list it.
Not entirely clear to me why it only affects macOS 11, though.

If the victim computer is running macOS 11 or greater, it will then sign the avatarde application with an ad-hoc signature, or one that is signed by the computer itself.

Are they saying macOS 11 introduces an ad-hoc signing mechanism? If so, sounds like we could be in for a ride of all kinds of holes…
 
Though TBH Apple don't really help that. How often do you get a pop up saying "Random process" wants "random permission" with no explanation of what the permission or process is, no way to verify checksums of the binary etc. After a bit of Googling you find the process is a part of OSX and lots of people have had the pop up.

It shouldn't be this way. If the thing is part of OSX you should be asked at install time, or at some time of your choosing, rather than having a dialog pop up over whatever work you were doing and constantly reappearing if you don't say yes.

Apps should be forced to give some explanation of why they want permissions. Especially why, if its part of OSX, it doesn't just comepwith permission.

Apple should have a detailed description of what each permission is about and it should be linked from the dialog.

There should be some simple means to veriy the thing that caused the pop up to appear is a signed binary and which one.

Wouldnt they just be able to lie?
 
Ah, fantastic, ran the update and Photoshop is broken again. Have to turn off GPU acceleration again to be able to open files. Never had this problem with Photoshop before Big Sur. Sigh.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.